In order to authenticate a user's identity, systems often require that the user prove that they know something, have something, or are something. For example, a website may require that a user know a user name and password to gain access.
Due to how ubiquitous mobile phone possession is, mobile phones are increasingly being used in user authentication. For example, a simple messaging service (SMS) text message may include a one-time password (OTP) sent to a mobile phone in a multi-factor authentication process. As another example, mobile transaction authentication numbers (mTAN) are used in many banking systems throughout the world to authenticate a user requesting a banking transaction. With an mTAN, a user is sent a SMS text message that usually includes a six digit transaction authentication number (TAN) and sometimes the parameters for the requested transaction such as amount, destination account, etc.
With the increased use of mobile phones as a medium for authentication, criminals have identified a lucrative new mechanism to defraud victims. Subscriber Identity Module (SIM) swap fraud is a technique that involves a fraudster associating a SIM card with the victim's mobile telephone number. In other words, through the use of social engineering (e.g., impersonating the victim) or other techniques, the operator of the mobile telephone network is tricked into deactivating the victim's legitimate SIM card, and activating a SIM card controlled by the fraudulent party in association with the victim's mobile phone number. This has the effect of hijacking the victim's mobile phone number, such that any phone calls or text messages sent to the victim's mobile telephone number (including authentication messages) are sent to the fraudster. The fraudster can then exploit any accounts that are tied to the victim's mobile telephone number.
It is to be understood that a Subscriber Identity Module (SIM) is an integrated circuit that securely stores information (e.g., an international mobile subscriber identity (IMSI) number and its related key) which is used to identify and authenticate subscribers on mobile telephony devices (such as cellular phones, satellite phones and computers). Typically, a SIM is implemented as a card (made of, e.g., PVC), containing semiconductors and embedded contacts, which can be inserted into and communicatively coupled with the mobile telephony device. Typically, a SIM is registered with and activated by the operator of the mobile telephony network, which then uses the SIM card to authenticate the subscriber and ensure s/he is authorized to use the network.
Technology that seeks to mitigate mobile phone based authentication fraud is sometimes based on tighter integration with the operator of the mobile telephony network or the provider requesting authentication. However, such solutions are limited in their scope and appeal.
It would be desirable to address these issues.